nanocore | b96ae4aab134c7612bd21311ee76a7b0b0dc14af7b2e10713564e50fc739967e | Triage

Sharing

General

Target

e90d3150b729f9e9f8271ed964da0d14.exe
Size

608KB
Sample

211011-say8hshee8
MD5

e90d3150b729f9e9f8271ed964da0d14
SHA1

08f865e0f25ca9f7e19f04e8d437214f924c3bb8
SHA256

b96ae4aab134c7612bd21311ee76a7b0b0dc14af7b2e10713564e50fc739967e
SHA512

e60900a239117ff9959f3bed2e889814527a814fb1d00041e09c9e589fe017cf9f0f43cd54a75f5cebbbbf384ec4f0001cc94f10999a9bfcd43269d67fdba631

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ella666.duckdns.org:31829

mikeljack321.ddns.net:31829

Mutex

a34ced25-fb8b-4570-a6e3-066f7f9be505

Attributes

activate_away_mode
true
backup_connection_host
mikeljack321.ddns.net
backup_dns_server
mikeljack321.ddns.net
buffer_size
65535
build_time
2021-07-12T10:54:00.175448736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
31829
default_group
AAA
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
a34ced25-fb8b-4570-a6e3-066f7f9be505
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ella666.duckdns.org
primary_dns_server
ella666.duckdns.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  e90d3150b729f9e9f8271ed964da0d14.exe
- Size
  
  608KB
- MD5
  
  e90d3150b729f9e9f8271ed964da0d14
- SHA1
  
  08f865e0f25ca9f7e19f04e8d437214f924c3bb8
- SHA256
  
  b96ae4aab134c7612bd21311ee76a7b0b0dc14af7b2e10713564e50fc739967e
- SHA512
  
  e60900a239117ff9959f3bed2e889814527a814fb1d00041e09c9e589fe017cf9f0f43cd54a75f5cebbbbf384ec4f0001cc94f10999a9bfcd43269d67fdba631
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealertrojan

behavioral2

nanocoreevasionkeyloggerspywarestealertrojan